WP-Safety
CVE-2026-1004

Essential Addons for Elementor <= 6.5.5 - Missing Authorization to Unauthenticated Sensitive Information Exposure

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
6.5.6
Patched in
1d
Time to patch

Description

The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=6.5.5
PublishedJanuary 15, 2026
Last updatedJanuary 16, 2026
Affected pluginessential-addons-for-elementor-lite

Source Code

WordPress.org SVN
Vulnerable v6.5.5
Browse source Download .zip
Patched v6.5.6
Browse source Download .zip
Research Plan
Unverified

# Research Plan: CVE-2026-1004 - Essential Addons for Elementor Sensitive Information Exposure ## 1. Vulnerability Summary The **Essential Addons for Elementor** plugin (up to version 6.5.5) contains a missing authorization vulnerability in its AJAX handler for product quick views. The function `ea…

Show full research plan

Research Plan: CVE-2026-1004 - Essential Addons for Elementor Sensitive Information Exposure

1. Vulnerability Summary

The Essential Addons for Elementor plugin (up to version 6.5.5) contains a missing authorization vulnerability in its AJAX handler for product quick views. The function eael_product_quickview_popup fails to validate the post_status of the requested WooCommerce product. This allows unauthenticated users to access details of products that are currently in draft, pending, or private status by simply providing the target product_id.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: eael_product_quickview_popup (registered via wp_ajax_nopriv_eael_product_quickview_popup)
  • Method: POST
  • Vulnerable Parameter: product_id (or post_id, depending on exact implementation)
  • Nonce Parameter: security (common in EAEL)
  • Authentication: Unauthenticated (Nopriv)
  • Preconditions: WooCommerce must be active, and at least one non-published product (draft/private) must exist.

3. Code Flow

  1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with action=eael_product_quickview_popup.
  2. Hook Registration: The plugin registers the action:
    add_action('wp_ajax_nopriv_eael_product_quickview_popup', 'eael_product_quickview_popup');
  3. Vulnerable Function: The eael_product_quickview_popup() function is called.
  4. Parameter Extraction: The function retrieves the product ID from $_POST['product_id'].
  5. Information Retrieval: The code likely uses get_post($product_id) or $product = wc_get_product($product_id) and proceeds to render the quickview template.
  6. The Flaw: There is no check to ensure the post status is publish or that the current user has the read_private_posts capability. Consequently, the content of restricted products is returned in the AJAX response.

4. Nonce Acquisition Strategy

Essential Addons for Elementor typically localizes a nonce for its AJAX operations. Based on standard EAEL patterns, the nonce is stored in a global JavaScript object.

  1. Identify Trigger: The nonce is likely enqueued when an Elementor page containing an EAEL Product widget (like "Product Grid" or "Woo Product Gallery") is loaded.
  2. Setup Test Page: Create a public page with an EAEL widget:
    wp post create --post_type=page --post_title="EAEL Test" --post_status=publish --post_content='[eael-product-grid]'
    (Note: If the shortcode doesn't work, manual creation via the Elementor editor in the test environment might be required, but usually, loading the script is enough.)
  3. Extract Nonce:
    Navigate to the created page and use browser_eval to find the localization object. EAEL often uses localize or eael_localize.
    // Probable location
window.eael_localize?.nonce 
// OR
window.localize?.nonce
  4. Action String: The nonce is likely generated for the general EAEL AJAX operations.

5. Exploitation Strategy

Step 1: Discover/Create Target Information

Identify the ID of a product that should be hidden (e.g., a "Private" product).

Step 2: Extract Nonce

Use the browser to visit a page where EAEL scripts are loaded and extract the security token.

Step 3: Execute Information Exposure Request

Send a POST request to admin-ajax.php.

  • URL: http://<target>/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=eael_product_quickview_popup&product_id=<PRIVATE_PRODUCT_ID>&security=<NONCE>

Step 4: Analyze Response

A successful exploit will return a JSON object or HTML snippet containing the product title, description, and price of the restricted product.

6. Test Data Setup

  1. Install/Activate Dependencies: Ensure WooCommerce and Essential Addons for Elementor (<= 6.5.5) are active.
  2. Create Private Product:
    wp post create --post_type=product --post_title="Secret Premium Product" --post_status=private --post_content="This is sensitive internal-only product information."
    Note the returned ID (e.g., 123).
  3. Create Public Nonce Page:
    wp post create --post_type=page --post_title="Nonce Source" --post_status=publish --post_content='<!-- EAEL Widget Placeholder -->'

7. Expected Results

  • Vulnerable Version: The response contains the string "Secret Premium Product" and "This is sensitive internal-only product information.".
  • Patched Version: The response should be empty, return a 403 Forbidden, or return a generic error message indicating the product cannot be viewed.

8. Verification Steps

  1. Check Output: Verify the HTTP response body from the http_request tool contains the private product's content.
  2. Confirm Status via CLI: Verify that the product is indeed private/draft:
    wp post get <PRODUCT_ID> --field=post_status
  3. Verify Authentication: Ensure the http_request is sent without any session cookies (simulating an unauthenticated attacker).

9. Alternative Approaches

  • Different Nonce Keys: If security fails, try nonce.
  • Check Different Post Statuses: If private is handled but draft is not, repeat the test with a draft product.
  • Parameter Variation: If product_id doesn't work, try post_id or product_id inside an eael_product_quickview_popup nested array if the plugin expects specific formatting.
  • Direct Template Call: If the AJAX action isn't eael_product_quickview_popup, search for add_action.*wp_ajax_nopriv in the plugin directory to find the correct quickview action name.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Essential Addons for Elementor plugin (<= 6.5.5) fails to perform authorization checks during its product quick-view AJAX request. This allows unauthenticated attackers to view the content, prices, and descriptions of WooCommerce products that are in draft, pending, or private status by providing the corresponding product ID.

Vulnerable Code

// From includes/Traits/Ajax_Handler.php (or similar AJAX handler in <= 6.5.5)

add_action('wp_ajax_eael_product_quickview_popup', 'eael_product_quickview_popup');
add_action('wp_ajax_nopriv_eael_product_quickview_popup', 'eael_product_quickview_popup');

public function eael_product_quickview_popup() {
    if ( ! isset( $_POST['security'] ) || ! wp_verify_nonce( $_POST['security'], 'eael_product_quickview_nonce' ) ) {
        wp_send_json_error( 'Invalid security token' );
    }

    $product_id = isset( $_POST['product_id'] ) ? intval( $_POST['product_id'] ) : 0;

    // VULNERABILITY: The code retrieves the product object without checking if the post status is 'publish'
    // or if the current unauthenticated user has permission to view non-public posts.
    $product = wc_get_product( $product_id );

    if ( $product ) {
        // Logic proceeds to render and return the product HTML
        ob_start();
        // ... rendering template ...
        echo ob_get_clean();
    }
    wp_die();
}

Security Fix

--- a/includes/Traits/Ajax_Handler.php
+++ b/includes/Traits/Ajax_Handler.php
@@ -10,6 +10,12 @@
 
     $product_id = isset( $_POST['product_id'] ) ? intval( $_POST['product_id'] ) : 0;
 
+    // Validate post status and permissions
+    $post_status = get_post_status( $product_id );
+    if ( 'publish' !== $post_status && ! current_user_can( 'read_private_posts' ) ) {
+        wp_send_json_error( esc_html__( 'Permission denied.', 'essential-addons-for-elementor-lite' ) );
+    }
+
     $product = wc_get_product( $product_id );
 
     if ( $product ) {

Exploit Outline

1. Identify the ID of a WooCommerce product that is currently set to 'private', 'draft', or 'pending' (e.g., via ID enumeration). 2. Visit any public-facing page on the target site that loads Essential Addons for Elementor scripts. 3. Extract the AJAX nonce from the page source, typically found in the 'eael_localize' or 'localize' JavaScript object under the 'nonce' or 'security' key. 4. Craft an unauthenticated POST request to /wp-admin/admin-ajax.php with the following parameters: action=eael_product_quickview_popup, product_id=[TARGET_ID], and security=[NONCE]. 5. The server will return the full rendered HTML content of the restricted product, exposing sensitive pricing, descriptions, and metadata.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/06ef9a21-e2b9-40c7-9de5-cff175fa10a5?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database